google · a-nogikh · Oct 9, 2025 · Oct 9, 2025 · Sep 4, 2025
diff --git a/syz-cluster/pkg/api/api.go b/syz-cluster/pkg/api/api.go
@@ -34,6 +34,7 @@ type FuzzConfig struct {
 	Track      string   `json:"track"` // E.g. KASAN.
 	Focus      []string `json:"focus"`
 	CorpusURLs []string `json:"corpus_urls"`
+	KMSAN      bool     `json:"kmsan"` // Needed for some temporary workarounds.
 	// Don't expect kernel coverage for the patched area.
 	SkipCoverCheck bool `json:"skip_cover_check"`
 	// Only report the bugs that match the regexp.
@@ -58,6 +59,7 @@ type KernelFuzzConfig struct {
 	CorpusURL      string   `json:"corpus_url"`
 	SkipCoverCheck bool     `json:"skip_cover_check"`
 	BugTitleRe     string   `json:"bug_title_re"`
+	KMSAN          bool     `json:"kmsan"` // Trigger the config changes necessary for KMSAN.
 }
 
 // FuzzTriageTarget is a single record in the list of supported fuzz configs.
@@ -257,7 +259,10 @@ const (
 	allCorpusURL = `https://storage.googleapis.com/syzkaller/corpus/ci-upstream-kasan-gce-root-corpus.db`
 )
 
-const kasanTrack = "KASAN"
+const (
+	kasanTrack = "KASAN"
+	kmsanTrack = "KMSAN"
+)
 
 // The list is ordered by decreasing importance.
 var FuzzTargets = []*FuzzTriageTarget{
@@ -307,6 +312,13 @@ var FuzzTargets = []*FuzzTriageTarget{
 				Focus:        FocusNet,
 				CorpusURL:    netCorpusURL,
 			},
+			{
+				Track:        kmsanTrack,
+				KernelConfig: `upstream-kmsan.config`,
+				Focus:        FocusNet,
+				CorpusURL:    netCorpusURL,
+				KMSAN:        true,
+			},
 		},
 	},
 	{

diff --git a/syz-cluster/pkg/fuzzconfig/generate.go b/syz-cluster/pkg/fuzzconfig/generate.go
@@ -19,50 +19,59 @@ var baseConfigJSON []byte
 //go:embed patched.cfg
 var patchedConfigJSON []byte
 
+//go:embed kmsan.cfg
+var kmsanConfigJSON []byte
+
 // GenerateBase produces a syz-manager config for the base kernel.
 // The caller must still invoke mgrconfig.Complete.
 func GenerateBase(cfg *api.FuzzConfig) (*mgrconfig.Config, error) {
-	var baseRaw json.RawMessage
-	err := config.LoadData(baseConfigJSON, &baseRaw)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read the base config: %w", err)
-	}
-	base, err := mgrconfig.LoadPartialData(baseRaw)
-	if err != nil {
-		return nil, fmt.Errorf("failed to load the config: %w", err)
-	}
-	err = applyFuzzConfig(base, cfg)
-	if err != nil {
-		return nil, err
-	}
-	return base, nil
+	return generateConfig(cfg, false)
 }
 
-// GeneratePatched produces a syz-manager config for the base kernel.
+// GeneratePatched produces a syz-manager config for the patched kernel.
 // The caller must still invoke mgrconfig.Complete.
 func GeneratePatched(cfg *api.FuzzConfig) (*mgrconfig.Config, error) {
-	var baseRaw, deltaRaw json.RawMessage
-	err := config.LoadData(baseConfigJSON, &baseRaw)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read the base config: %w", err)
+	return generateConfig(cfg, true)
+}
+
+func generateConfig(cfg *api.FuzzConfig, patched bool) (*mgrconfig.Config, error) {
+	type patchItem struct {
+		name  string
+		patch []byte
 	}
-	err = config.LoadData(patchedConfigJSON, &deltaRaw)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read the patched config: %w", err)
+	patchesList := []patchItem{{name: "base", patch: baseConfigJSON}}
+	if patched {
+		patchesList = append(patchesList, patchItem{name: "patched", patch: patchedConfigJSON})
 	}
-	patchedRaw, err := config.MergeJSONs(baseRaw, deltaRaw)
-	if err != nil {
-		return nil, fmt.Errorf("failed to merge the configs: %w", err)
+	if cfg.KMSAN {
+		patchesList = append(patchesList, patchItem{name: "kmsan", patch: kmsanConfigJSON})
+	}
+	var raw json.RawMessage
+	for i, patch := range patchesList {
+		var next json.RawMessage
+		err := config.LoadData(patch.patch, &next)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read the %s config: %w", patch.name, err)
+		}
+		if i == 0 {
+			raw = next
+		} else {
+			var err error
+			raw, err = config.MergeJSONs(raw, next)
+			if err != nil {
+				return nil, fmt.Errorf("failed to merge the configs with %s: %w", patch.name, err)
+			}
+		}
 	}
-	patched, err := mgrconfig.LoadPartialData(patchedRaw)
+	mgrConfig, err := mgrconfig.LoadPartialData(raw)
 	if err != nil {
 		return nil, fmt.Errorf("failed to load the config: %w", err)
 	}
-	err = applyFuzzConfig(patched, cfg)
+	err = applyFuzzConfig(mgrConfig, cfg)
 	if err != nil {
 		return nil, err
 	}
-	return patched, nil
+	return mgrConfig, nil
 }
 
 func applyFuzzConfig(mgrCfg *mgrconfig.Config, cfg *api.FuzzConfig) error {

diff --git a/syz-cluster/pkg/fuzzconfig/generate_test.go b/syz-cluster/pkg/fuzzconfig/generate_test.go
@@ -46,6 +46,13 @@ func TestMultipleFocus(t *testing.T) {
 	}, filepath.Join("testdata", "mixed", "bpf_io_uring"))
 }
 
+func TestKMSANConfig(t *testing.T) {
+	runTest(t, &api.FuzzConfig{
+		Focus: []string{api.FocusBPF},
+		KMSAN: true,
+	}, filepath.Join("testdata", "mixed", "bpf_kmsan"))
+}
+
 func runTest(t *testing.T, cfg *api.FuzzConfig, baseName string) {
 	base, err := GenerateBase(cfg)
 	require.NoError(t, err)

diff --git a/syz-cluster/pkg/fuzzconfig/kmsan.cfg b/syz-cluster/pkg/fuzzconfig/kmsan.cfg
@@ -0,0 +1,5 @@
+{
+    "vm": {
+      "network_device": "virtio-net-pci"
+    }
+}
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_io_uring.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_io_uring.base.cfg
@@ -85,6 +85,7 @@
 		"reset_acc_state": false,
 		"remote_cover": true,
 		"cover_edges": false,
-		"descriptions_mode": "manual"
+		"descriptions_mode": "manual",
+		"enable_kfuzztest": false
 	}
 }
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_io_uring.patched.cfg b/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_io_uring.patched.cfg
@@ -86,6 +86,7 @@
 		"reset_acc_state": false,
 		"remote_cover": true,
 		"cover_edges": false,
-		"descriptions_mode": "manual"
+		"descriptions_mode": "manual",
+		"enable_kfuzztest": false
 	}
 }
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_kmsan.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_kmsan.base.cfg
@@ -0,0 +1,75 @@
+{
+	"name": "base",
+	"target": "linux/amd64",
+	"http": "",
+	"rpc": ":0",
+	"workdir": "/workdir",
+	"kernel_obj": "/base/obj",
+	"kernel_build_src": "/workdir",
+	"android_split_build": false,
+	"image": "/base/image",
+	"ssh_user": "root",
+	"syzkaller": "/syzkaller",
+	"procs": 3,
+	"max_crash_logs": 100,
+	"sandbox": "none",
+	"sandbox_arg": 0,
+	"snapshot": false,
+	"cover": true,
+	"cover_filter": {},
+	"raw_cover": false,
+	"reproduce": true,
+	"preserve_corpus": true,
+	"enable_syscalls": [
+		"bpf",
+		"mkdir",
+		"mount$bpf",
+		"unlink",
+		"close",
+		"perf_event_open*",
+		"ioctl$PERF*",
+		"getpid",
+		"gettid",
+		"socketpair",
+		"sendmsg",
+		"recvmsg",
+		"setsockopt$sock_attach_bpf",
+		"socket",
+		"ioctl$sock_kcm*",
+		"syz_clone",
+		"mkdirat$cgroup*",
+		"openat$cgroup*",
+		"write$cgroup*",
+		"openat$tun",
+		"write$tun",
+		"ioctl$TUN*",
+		"ioctl$SIOCSIFHWADDR",
+		"openat$ppp",
+		"syz_open_procfs$namespace",
+		"openat$pidfd",
+		"fstat"
+	],
+	"strace_bin": "",
+	"strace_bin_on_target": false,
+	"execprog_bin_on_target": "",
+	"executor_bin_on_target": "",
+	"run_fsck": true,
+	"type": "qemu",
+	"vm": {
+		"cmdline": "root=/dev/sda1",
+		"count": 3,
+		"cpu": 2,
+		"kernel": "/base/kernel",
+		"mem": 7168,
+		"network_device": "virtio-net-pci",
+		"qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1"
+	},
+	"asset_storage": null,
+	"Experimental": {
+		"reset_acc_state": false,
+		"remote_cover": true,
+		"cover_edges": false,
+		"descriptions_mode": "manual",
+		"enable_kfuzztest": false
+	}
+}
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_kmsan.patched.cfg b/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_kmsan.patched.cfg
@@ -0,0 +1,76 @@
+{
+	"name": "patched",
+	"target": "linux/amd64",
+	"http": "",
+	"rpc": ":0",
+	"workdir": "/workdir",
+	"kernel_obj": "/patched/obj",
+	"kernel_build_src": "/workdir",
+	"android_split_build": false,
+	"image": "/patched/image",
+	"ssh_user": "root",
+	"syzkaller": "/syzkaller",
+	"procs": 3,
+	"max_crash_logs": 100,
+	"sandbox": "none",
+	"sandbox_arg": 0,
+	"snapshot": false,
+	"cover": true,
+	"cover_filter": {},
+	"raw_cover": false,
+	"reproduce": true,
+	"fuzzing_vms": 3,
+	"preserve_corpus": true,
+	"enable_syscalls": [
+		"bpf",
+		"mkdir",
+		"mount$bpf",
+		"unlink",
+		"close",
+		"perf_event_open*",
+		"ioctl$PERF*",
+		"getpid",
+		"gettid",
+		"socketpair",
+		"sendmsg",
+		"recvmsg",
+		"setsockopt$sock_attach_bpf",
+		"socket",
+		"ioctl$sock_kcm*",
+		"syz_clone",
+		"mkdirat$cgroup*",
+		"openat$cgroup*",
+		"write$cgroup*",
+		"openat$tun",
+		"write$tun",
+		"ioctl$TUN*",
+		"ioctl$SIOCSIFHWADDR",
+		"openat$ppp",
+		"syz_open_procfs$namespace",
+		"openat$pidfd",
+		"fstat"
+	],
+	"strace_bin": "",
+	"strace_bin_on_target": false,
+	"execprog_bin_on_target": "",
+	"executor_bin_on_target": "",
+	"run_fsck": true,
+	"type": "qemu",
+	"vm": {
+		"cmdline": "root=/dev/sda1",
+		"count": 9,
+		"cpu": 2,
+		"kernel": "/patched/kernel",
+		"mem": 7168,
+		"network_device": "virtio-net-pci",
+		"qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1"
+	},
+	"asset_storage": null,
+	"Experimental": {
+		"reset_acc_state": false,
+		"remote_cover": true,
+		"cover_edges": false,
+		"descriptions_mode": "manual",
+		"enable_kfuzztest": false
+	}
+}
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/bpf.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/bpf.base.cfg
@@ -68,6 +68,7 @@
 		"reset_acc_state": false,
 		"remote_cover": true,
 		"cover_edges": false,
-		"descriptions_mode": "manual"
+		"descriptions_mode": "manual",
+		"enable_kfuzztest": false
 	}
 }
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/bpf.patched.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/bpf.patched.cfg
@@ -69,6 +69,7 @@
 		"reset_acc_state": false,
 		"remote_cover": true,
 		"cover_edges": false,
-		"descriptions_mode": "manual"
+		"descriptions_mode": "manual",
+		"enable_kfuzztest": false
 	}
 }
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/default.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/default.base.cfg
@@ -44,6 +44,7 @@
 		"reset_acc_state": false,
 		"remote_cover": true,
 		"cover_edges": false,
-		"descriptions_mode": "manual"
+		"descriptions_mode": "manual",
+		"enable_kfuzztest": false
 	}
 }
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/default.patched.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/default.patched.cfg
@@ -45,6 +45,7 @@
 		"reset_acc_state": false,
 		"remote_cover": true,
 		"cover_edges": false,
-		"descriptions_mode": "manual"
+		"descriptions_mode": "manual",
+		"enable_kfuzztest": false
 	}
 }
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/fs.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/fs.base.cfg
@@ -163,6 +163,7 @@
 		"reset_acc_state": false,
 		"remote_cover": true,
 		"cover_edges": false,
-		"descriptions_mode": "manual"
+		"descriptions_mode": "manual",
+		"enable_kfuzztest": false
 	}
 }
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/fs.patched.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/fs.patched.cfg
@@ -164,6 +164,7 @@
 		"reset_acc_state": false,
 		"remote_cover": true,
 		"cover_edges": false,
-		"descriptions_mode": "manual"
+		"descriptions_mode": "manual",
+		"enable_kfuzztest": false
 	}
 }
diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/io_uring.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/io_uring.base.cfg
@@ -58,6 +58,7 @@
 		"reset_acc_state": false,
 		"remote_cover": true,
 		"cover_edges": false,
-		"descriptions_mode": "manual"
+		"descriptions_mode": "manual",
+		"enable_kfuzztest": false
 	}
 }